Preventing Comment Spam With Spamhaus in ColdFusion and Java

Recently I turned comments on again for my blog, but I started getting hammered with spam comments so I looked into trying to figure out how to stop spammers.

Most people rely on some type of image based spam prevention. This is probably performance wise the best solution, the problem is when people with poor eyesight come in, or actual people come to spam your site. This solution doesn’t prevent that scenario.

A client of mine got me to look into SPF for protecting everyone else from someone masquerading as us. That somehow led me to spamhaus again. I had always thought of using them for spam filtering, but what I didn’t know is that you can use them for web submission protection. On the site, I learned that implementing their blacklist filtering is really easy to implement. Basically the way they work is that you supply part of your visitor, whether they are sending an email on port 25 or whether they are visiting on port 80, since Spamhaus includes their web site on their black list, if someone is sending spam mail, they will return for an http request.

Basically you have to send a request over to Spamhaus’ zen DNS server. If it returns a value, then they are a spammer, or at least they are listed at Spamhaus as a spammer. The method you use is you reverse the bytes of the IP address, for example if the IP address is 2.3.4.5 then you would send a DNS request over to Spamhaus like 5.4.3.2.zen.spamhaus.org. For Java and ColdFusion, I use InetAddress, but there are methods in every language to perform these tasks.

To explain, in the first line you are starting a cftry / cfcatch block. The reason for this is if the visitor’s server is clean, it will throw an error because it won’t be able to get a response. However, if it doesn’t throw an error, it will be able to complete.

So the way this code works is that it takes the visitor’s IP address, splits it into an array, copies it into a new array, and then reconstitutes it into the IP address string but backwards.

It then creates an instance of InetAddress and calls the getByName method passing in the created address and waits for a response. If it doesn’t get one, it does nothing. If it does get one, and the result is something that isn’t an empty string, such as 127.0.0.2, it will return and not allow whatever it is protecting to be executed.

If you are using Java the code could look like this:

try{

InetAddress inet = new InetAddress();

inet = inet.getByName(backwardsip.zen.spamhaus.org);

// this should return an IP, but it really doesn’t matter what it

// returns

String hostName = inet.getHostName();

// this is just to catch a possible error

if(hostName.length() > 0){

System.out.println(‘Visitor is dirty’);

return;

}

}catch(Exception e){

System.out.println(‘Visitor is clean’);

}

So far this is proving to be a good way to check for bad commentors. The problem is that if you are a high-traffic site, Spamhaus will want to charge you for the use of their static list. If you are a high-traffic site, you would want it anyway for performance reasons. I think the cost may be worth it though in hassle.